CVE-2026-50632

8.1 HIGH

A further incomplete fix for a previous advisory CVE-2026-44417 (Untrusted JMS configuration can lead to RCE) for Apache CXF has been ide...

Published: 2026-06-12 · Last updated: 2026-06-12

Severity and scoring

CVSS: 8.1 HIGH
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-20

Affected products

Vendor	Product
apache	cxf

Description

A further incomplete fix for a previous advisory CVE-2026-44417 (Untrusted JMS configuration can lead to RCE) for Apache CXF has been identified, which can allow code execution capabilities, if untrusted users are allowed to configure JMS for Apache CXF. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-50632
[Vendor advisory]https://lists.apache.org/thread/740ghch5z5y675cn2kzgtyo5k37n6qcw

Related CVEs

Same vendor

CVE-2026-50645 — There is no restriction on the amount of attachment headers that a message can contain when being deserialized by Apache CXF, which can l... (7.5 HIGH)
CVE-2026-50634 — A vulnerability in Apache CXF's JwsJsonContainerRequestFilter can be exploited to cause CXF to process metadata that was not authenticate... (6.5 MEDIUM)
CVE-2026-50633 — A JNDI Injection vulnerability has been discovered in Apache CXF's JCA integration module, which can allow for code execution, if an atta... (8.1 HIGH)
CVE-2026-50631 — A race condition in AbstractOAuthDataProvider allows concurrent requests using the same Refresh Token to bypass single-use semantics and ... (7.4 HIGH)
CVE-2026-50630 — A CRLF injection vulnerability exists in the OAuth2 AuthorizationUtils class (6.5 MEDIUM)

Same CWE

CVE-2026-45013 — ApostropheCMS is an open-source Node.js content management system (8.1 HIGH)
CVE-2026-54133 — jmespath.php allows users to use JMESPath, software for declaratively specifying how to extract elements from a JSON document, in PHP app... (9.8 CRITICAL)
CVE-2026-47196 — Quest Bot is an opensource Discord Bot
CVE-2026-50633 — A JNDI Injection vulnerability has been discovered in Apache CXF's JCA integration module, which can allow for code execution, if an atta... (8.1 HIGH)
CVE-2026-50628 — A logic error in OAuthRequestFilter rejects legitimate requests originating from the bound IP address, while blindly allowing requests fr...